---
description:
  Learn how to disable GraphQL schema introspection and the "did you mean x" suggestion feature.
---

import { Callout } from '@theguild/components'

# Introspection

A powerful feature of GraphQL is schema introspection. This feature is used by GraphiQL for
exploring the schema and also by tooling such as
[GraphQL Code Generator](https://the-guild.dev/graphql/codegen) for generating type-safe
client/frontend code.

GraphQL schema introspection is also a feature that allows clients to ask a GraphQL server what
GraphQL features it supports (e.g. defer/stream or subscriptions).

## Disabling Introspection

<Callout>
  If your goal is to avoid unknown actors from reverse-engineering your GraphQL
  schema and executing arbitrary operations, it is highly recommended to use
  persisted operations.

[Learn more about persisted operations.](/docs/features/persisted-operations)

</Callout>

```ts "Disabling GraphQL schema introspection with a plugin" {7}
import { createYoga } from 'graphql-yoga'
import { useDisableIntrospection } from '@graphql-yoga/plugin-disable-introspection'

// Provide your schema
const yoga = createYoga({
  graphiql: false,
  plugins: [useDisableIntrospection()]
})

const server = createServer(yoga)
server.listen(4000, () => {
  console.info('Server is running on http://localhost:4000/graphql')
})
```

## Disable Introspection based on the GraphQL Request

Sometimes you want to allow introspectition for certain users. You can access the `Request` object
and determine based on that whether introspection should be enabled or not. E.g. you can check the
headers.

```ts "Disabling GraphQL schema introspection conditionally" {7}
import { createYoga } from 'graphql-yoga'
import { useDisableIntrospection } from '@graphql-yoga/plugin-disable-introspection'

// Provide your schema
const yoga = createYoga({
  graphiql: false,
  plugins: [
    useDisableIntrospection({
      isDisabled: request => request.headers.get('x-allow-introspection') !== 'secret-access-key'
    })
  ]
})

const server = createServer(yoga)
server.listen(4000, () => {
  console.info('Server is running on http://localhost:4000/graphql')
})
```

## Disable Introspection based on the context

You can also disable introspection based on the context. This is useful when you want to disable it
via another auth plugin like [JWT Plugin](/docs/features/jwt).

```ts "Disabling GraphQL schema introspection based on the context" {7}
import { createYoga } from 'graphql-yoga'
import { useDisableIntrospection } from '@graphql-yoga/plugin-disable-introspection'
import { useJWT } from '@graphql-yoga/plugin-jwt'

// Provide your schema
const yoga = createYoga({
  graphiql: false,
  plugins: [
    useJWT({
      /* .. */
    }),
    useDisableIntrospection({
      isDisabled: (_req, ctx) => !ctx.jwt
    })
  ]
})

const server = createServer(yoga)
server.listen(4000, () => {
  console.info('Server is running on http://localhost:4000/graphql')
})
```

## Disabling Field Suggestions

<Callout>
  The [`graphql-armor`](https://github.com/Escape-Technologies/graphql-armor) plugin is a security layer that help you protect your GraphQL server from malicious queries.
  It allows you to configure various security features such as character limit or blocking field suggestions.
  For more information about `graphql-armor` features, you can refer to the [documentation](https://escape.tech/graphql-armor/docs/category/plugins).

Here is an example of how to use `graphql-armor` to disable introspection and block field
suggestions.

</Callout>

When executing invalid GraphQL operation the GraphQL engine will try to construct smart suggestions
that hint typos in the executed GraphQL document. This can be considered a security issue, as it can
leak information about the GraphQL schema, even if introspection is disabled.

<Callout>
  If your goal is to avoid unknown actors from reverse-engineering your GraphQL
  schema and executing arbitrary operations, it is highly recommended to use
  persisted operations.

[Learn more about persisted operations.](/docs/features/persisted-operations)

</Callout>

Disabling the "did you mean x" suggestion feature can be achieved via the
`blockFieldSuggestionsPlugin` from
[`graphql-armor`](https://github.com/Escape-Technologies/graphql-armor).

```sh npm2yarn
npm i @escape.tech/graphql-armor-block-field-suggestions
```

```ts filename="Disabling the 'did you mean x' suggestion feature with a plugin" {2, 7}
import { createYoga } from 'graphql-yoga'
import { blockFieldSuggestionsPlugin } from '@escape.tech/graphql-armor-block-field-suggestions'

// Provide your schema
const yoga = createYoga({
  graphiql: false,
  plugins: [useDisableIntrospection(), blockFieldSuggestionsPlugin()]
})

const server = createServer(yoga)
server.listen(4000, () => {
  console.info('Server is running on http://localhost:4000/graphql')
})
```
